RPC security help

D

dm4327

Hello,

My computer was recently attacked using vulnerabilities in
RPC / Microsoft DCOM. I have since read Microsoft Security
Bulletin MS03-026
[Buffer Overrun In RPC Interface Could Allow Code
Execution (823980)]
and have installed the recommended patch. I have also
installed a Sygate firewall to prevent further attacks.
However, I was looking through "System Information" in the
Microsoft system tools folder and I noticed some strange
changes, which I do not know how to fix. I have pasted
the log below. Any help would be appreciated. Thank you
in advance!

09/08/2003 16:39:02 ADDED msblast.exe
Startup Programs
11/08/2003 22:37:53 CHANGED Accessories
Property "UserName" changed from "Default User"
to "All Users". Program Group
11/08/2003 22:37:53 CHANGED Accessories
Property "Name" changed from "Default
User:Accessories" to "All Users:Accessories". Program
Group
11/08/2003 22:37:53 CHANGED Accessories\Accessibility
Property "UserName" changed from "Default User"
to "All Users". Program Group
11/08/2003 22:37:53 CHANGED Accessories\Accessibility
Property "Name" changed from "Default
User:Accessories\Accessibility" to "All
Users:Accessories\Accessibility". Program Group
11/08/2003 22:37:53 CHANGED Accessories\Entertainment
Property "UserName" changed from "Default User"
to "All Users". Program Group
11/08/2003 22:37:53 CHANGED Accessories\Entertainment
Property "Name" changed from "Default
User:Accessories\Entertainment" to "All
Users:Accessories\Entertainment". Program Group
11/08/2003 22:37:53 CHANGED Startup
Property "UserName" changed from "Default User"
to "All Users". Program Group
11/08/2003 22:37:53 CHANGED Startup Property "Name"
changed from "Default User:Startup" to "All Users:Startup".
Program Group
11/08/2003 22:37:53 CHANGED Accessories
Property "UserName" changed from "NT
AUTHORITY\SYSTEM" to "Default User". Program Group
11/08/2003 22:37:53 CHANGED Accessories
Property "Name" changed from "NT
AUTHORITY\SYSTEM:Accessories" to "Default
User:Accessories". Program Group
11/08/2003 22:37:53 CHANGED Accessories\Accessibility
Property "UserName" changed from "NT
AUTHORITY\SYSTEM" to "Default User". Program Group
11/08/2003 22:37:53 CHANGED Accessories\Accessibility
Property "Name" changed from "NT
AUTHORITY\SYSTEM:Accessories\Accessibility" to "Default
User:Accessories\Accessibility". Program Group
11/08/2003 22:37:53 CHANGED Accessories\Entertainment
Property "UserName" changed from "NT
AUTHORITY\SYSTEM" to "Default User". Program Group
11/08/2003 22:37:53 CHANGED Accessories\Entertainment
Property "Name" changed from "NT
AUTHORITY\SYSTEM:Accessories\Entertainment" to "Default
User:Accessories\Entertainment". Program Group
11/08/2003 22:37:53 CHANGED Startup
Property "UserName" changed from "NT
AUTHORITY\SYSTEM" to "Default User". Program Group
11/08/2003 22:37:53 CHANGED Startup Property "Name"
changed from "NT AUTHORITY\SYSTEM:Startup" to "Default
User:Startup". Program Group
11/08/2003 22:37:53 CHANGED Accessories
Property "UserName" changed from "OEM\OEMUSER"
to "NT AUTHORITY\SYSTEM". Program Group
11/08/2003 22:37:53 CHANGED Accessories
Property "Name" changed
from "OEM\OEMUSER:Accessories" to "NT
AUTHORITY\SYSTEM:Accessories". Program Group
11/08/2003 22:37:53 CHANGED Accessories\Accessibility
Property "UserName" changed from "OEM\OEMUSER"
to "NT AUTHORITY\SYSTEM". Program Group
11/08/2003 22:37:53 CHANGED Accessories\Accessibility
Property "Name" changed
from "OEM\OEMUSER:Accessories\Accessibility" to "NT
AUTHORITY\SYSTEM:Accessories\Accessibility". Program
Group
11/08/2003 22:37:53 CHANGED Accessories\Entertainment
Property "UserName" changed from "OEM\OEMUSER"
to "NT AUTHORITY\SYSTEM". Program Group
11/08/2003 22:37:53 CHANGED Accessories\Entertainment
Property "Name" changed
from "OEM\OEMUSER:Accessories\Entertainment" to "NT
AUTHORITY\SYSTEM:Accessories\Entertainment". Program
Group
11/08/2003 22:37:53 CHANGED Administrative Tools
Property "UserName" changed from "OEM\OEMUSER"
to "All Users". Program Group
11/08/2003 22:37:53 CHANGED Administrative Tools
Property "Name" changed
from "OEM\OEMUSER:Administrative Tools" to "All
Users:Administrative Tools". Program Group
11/08/2003 22:37:53 CHANGED Startup
Property "UserName" changed from "OEM\OEMUSER"
to "NT AUTHORITY\SYSTEM". Program Group
11/08/2003 22:37:53 CHANGED Startup Property "Name"
changed from "OEM\OEMUSER:Startup" to "NT
AUTHORITY\SYSTEM:Startup". Program Group
11/08/2003 22:37:53 CHANGED C:\WINDOWS\System32
\CTFMON.EXE Property "User" changed from "NT
AUTHORITY\SYSTEM" to ".DEFAULT". Startup Programs
11/08/2003 22:37:53 CHANGED C:\WINDOWS\System32
\CTFMON.EXE Property "Location" changed from "HKU\S-1-
5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
to "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run". Startup Programs
11/08/2003 22:37:53 CHANGED desktop.ini
Property "User" changed from ".DEFAULT" to "All
Users". Startup Programs
11/08/2003 22:37:53 CHANGED desktop.ini
Property "Location" changed from "Startup"
to "Common Startup". Startup Programs
11/08/2003 22:37:53 CHANGED desktop.ini
Property "User" changed from "NT AUTHORITY\SYSTEM"
to ".DEFAULT". Startup Programs
11/08/2003 22:37:53 CHANGED desktop.ini
Property "User" changed from "OEM\OEMUSER" to "NT
AUTHORITY\SYSTEM". Startup Programs
 
D

David Loyall

You said:
Hello,
My computer was recently attacked using vulnerabilities in
RPC / Microsoft DCOM. [snip]
09/08/2003 16:39:02 ADDED msblast.exe
Startup Programs
Click to expand...

Ok. You're infected with a trojan called MSBLASTER.
Here's what happened. Before you installed the patch,
some other msblaster infected computer connected to yours,
and, through the RPC vulnerability, installed msblast.exe
on your computer. Now, it's running, and your computer is
connecting to other computers, spreading the worm.

Solution:
Hit ctrl+alt+del to bring up the task manager. You might
need to click 'Task Manager' button, too. Located the
msblast.exe process. Kill it. Locate and delete the
msblast.exe file. (in c:\windows\system32, probably. Or %
WINDIR%\system32, if you prefer.) That takes care of
msblast. As far as I know. It's pretty simple.

But you might have been infected with more than one
trojan. So, use an antivirus, (I recommend the free
online scan found at http://housecall.antivirus.com ).
Also, visit http://windowsupdate.microsoft.com because
there may be *other* vulnerabilities that you've not yet
installed patches for. Again, use of an antivirus is
important, because msblast does open a method remote
access, ie, real people could connect to it and do things
to your system. Maybe they already have.

Hope this helps.
--David Loyall
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Hacked >> Many changed passwords 1
Hacjker Changes many user names 1
System Infiltrated >>Program start up group changes . Please See l 2
User Permissions changed 1
MSI Installer error when installing 3dsmax8 0
Web Setup Project failure 0
Remove lines from text file prior to importing in Excel 3
Microsoft Update - Internet Explorer cannot display webpage 2

Top